A C-level’s Guide to Business Continuity Management

/in /by

What’s inside:

In today’s fast-paced and data-driven world, the ability to respond and adapt to change is more critical than ever before. While most companies are invested in improving their key business interests, few are capable of implementing a comprehensive continuity plan if something goes wrong. 

Chapter 1

What is business continuity management, and why is it critical in 2019?

What is business continuity management, and why is it critical in 2019?

Business continuity management (BCM) includes a range of measures dedicated to the protection of key business assets and the development of alternate modes of operation when business activities are interrupted. Placing a high value on BCM is a crucial aspect of long-term management and procedural sustainability.

Despite the growing importance of BCM, 75% of small businesses have no disaster recovery plan.

Modern organizations face increasingly complex business and operational challenges. With an increased reliance on data and network flows, information security and business continuity have become an important part of the risk and crisis management. BCM consists of three core components:

  • Crisis management
  • Business recovery planning
  • IT disaster recovery

Business continuity is no longer an added extra for vigilant organizations, but a must-have service in the same ballpark as cybersecurity and IT support structures. In order to ensure your full protection, it’s important to research best practices and align your BCM objectives with the goals of your organization.

By 2021, cybercrime will cost $6 trillion per year worldwide. This represents the greatest transfer of wealth in history. Are you ready?

Chapter 2

Best practices for business continuity

Every organization has to create its own business continuity plan, with the approach and scope of the overall project needing to align with specific business requirements and constraints. Despite the highly specific nature of these requirements, there are a few well-known characteristics that are known to lead to best practice outcomes.

In practice, most of these elements need to be refined over time and applied in an iterative fashion to ensure a tight feedback loop between implementation and results.

  • Policies and standards – Professional BCM requires a detailed plan of attack, with policies and standards needing to be created from the outset. Different areas of BCM need to be defined, with effective programs assigned to each area based on needs and constraints.
  • Business impact analysis (BIA) – A relevant and well prepared BIA can add value to any organization. Making policies is not enough in isolation; you also need to establish the core objectives of your recovery efforts and justify associated resources and expenses.
  • Risk identification and assessment- While anyone can benefit from BCM, the risks faced by organizations are known to differ widely. It’s important to identify and prioritize threats and failure scenarios in order to allocate your resources effectively.
  • Strategy and cost-benefit analysis – Not all continuity efforts are created equal, with a detailed cost-benefit analysis needed before you can implement specific solutions. Before you can design an effective strategy, you need to analyze your BIA and risk assessment and conduct a cost-benefit analysis.
  • Documentation – Depending on the size of your organization, extensive continuity management can get complex fast. All work needs to be documented, including risk analysis, response mechanisms, and recovery procedures.
  • Testing – Just like everything else in business, an effective BCM plan does not exist until it’s been thoroughly tested and validated within an operational context. In order to be effective, testing needs to carried out continually across development iterations.
  • Training – Your continuity efforts are useless if they’re not applied properly. Staff awareness and training are needed for general and recovery team members, both during the early days of BCM implementation and on an ongoing basis.
  • Compliance – While BCM helps to ensure compliance and promote consistency across industry sectors, you need to adhere to existing frameworks and continuity standards within the context of your organization.

Chapter 3

Overcoming the biggest challenges of BCM

Despite the overall usefulness of BCM and associated standards, organizations need to overcome a number of challenges when it comes to implementation and delivery. Understanding these complex challenges is the key to a successful operation, with each obstacle needing an equal and opposite counter-measure.

From a lack of managerial support through to budget constraints and lack of coordination between departments, let’s take a look at the biggest challenges and how to overcome them:

Lack of support

While continuity management is always challenging, it’s pretty much impossible when you don’t have support from management. Change starts from the top, with managers and executives needing to be completely on-board in order to drive change. While most executives will make appropriate moves when they need to abide by regulations, pro-active measures can be harder to instigate. One of the best ways to engage executives is to carry out a detailed vulnerability analysis that highlights the link between specific risks and loss scenarios.

Budget and timeline constraints

While most businesses are prepared to invest in efficiency measures that improve operations, few are willing to invest in mitigation measures that secure against loss or damage. This short-sighted view is a type of false economy, with companies that fail to act likely to suffer the consequences. Downtime costs money, with companies spending a minimum of $926 per minute when they experience an unplanned outage, and some companies experiencing up to $17,244.

Budget constraints and short-term profit-taking are the death of many good ideas, with continuity management need to be framed as a critical safeguard rather than an unwanted expense. Unrealistic timelines can also stop BCM in its tracks, with gradual analysis and implementation often preferred over the wholesale adoption of new procedures.

Lack of awareness and training

Like most things in business, BCM is only as strong as its weakest link. Human error accounts for 52% of all security breaches. In order to ensure a culture of readiness, it’s important to undergo training initiatives throughout your organization. Depending on the business in question, awareness and training programs should address the overall scope of the continuity program while also addressing individual procedures. Flexibility and agility are key, with training mechanisms needing to adapt and respond to technology and procedural shifts.

Too many moving pieces

Reliable continuity management demands a robust and consistent approach. Too many moving pieces can ruin the transmission and translation of knowledge, with settled companies more likely to get their message through to team members. Employee turnover can be a big problem when it comes to BCM, with changing faces often leading to a lack of procedural awareness. Inconsistent supply chains and service providers can also cause major issues, so think about developing long-term relationships and be prepared to pay a little extra for sustainable and well-coordinated business structures. 

Ongoing software development also puts additional pressure on critical systems, with most vulnerabilities taking place after software updates. There are more than 111 billion lines of new code produced each year, which creates new vulnerabilities to be exploited.

Lack of coordination

Practical coordination and efficient communication are key to all successful continuity efforts. Too many moving pieces is just one way to threaten the continuity, with organizations also likely to experience weakness due to a lack of coordination and communication between departments, suppliers, and stakeholders. It’s important to develop a contact verification tool that integrates across key assets, with a web-based management system able to save you time and money. Robust BCM needs to confirm contact information and automate changes without disrupting key business processes.

Unidentified processes

In order to be effective, a continuity plan needs to identify critical processes that may lead to disruptions. Response procedures are entirely dependent on this process, with different mechanisms put in place based on the potential impact of security and crisis situations. The ability to identify, quantify and segment business processes based on real and perceived threat levels is key. Whether it’s your internal IT systems, your employees, or your infrastructure, unidentified processes are likely to fall between the cracks.

Unidentified threats

Identifying critical processes is not enough in isolation; you also need to identify threats and vulnerabilities that could impact your organization. A hazard analysis can be beneficial during this phase, with a report needed to indicate the likeliness of specific threats and their intended impact. Whether it’s adverse weather events, cybersecurity trends, or maintenance issues, it’s always important to measure threats in relation to your existing capabilities and mitigation efforts.

Insecure supply chain

Setting up a secure alternate supply chain is both highly practical and incredibly useful. While you can manage your internal procedures and team members, it’s impossible to manage all potential disruptions that can occur outside of your domain. From power and information flows through to specific business products and services, you need to develop a plan B by researching supply options and securing new partners.

Chapter 4

Auditing existing business continuity plans

Current business continuity plans are rarely enough, with most businesses focusing on particular avenues of risk management or failing to make plans altogether. Before you move ahead with BCM, you need to be realistic about where you stand and what it’s likely to mean for your organization. It’s important to audit your existing framework, identify security and continuity gaps, and make moves to develop a more comprehensive level of coverage.

According to Gartner, 35% of organizations without a mature BCM program will experience significant problems recovering from one or more mission-critical business processes in 2019.

There are a number of technical issues to address during this stage, with crisis management, business resumption planning, and IT security and disaster programs all needing their own solutions. An internal audit helps to identify potential operational problems, improve key processes and systems, and create a sustainable and iterative relationship between specific risks and key business activities. The auditing process is integral to operational resiliency and long-term sustainability.

The scope of a BCM audit

The scope of an internal audit should reflect the operational capacity and exposure of the organization. While some companies are inherently well-protected due to a lack of critical information systems, others are open to multiple risks and vulnerabilities throughout the working week. 

When organizing an audit, it’s important to consider program governance and overall program management, along with any potential procedural changes. While an accurate snapshot of your organization is critical, a moving picture of your capabilities is also required.

  • Program governance – Does your organization place enough emphasis on continuity measures? If your company culture fails to align with the objectives of BCM, positive changes are unlikely. It’s important to identify key decision-makers, reach out to potential sponsors, and engage interested stakeholders during this phase.
  • Program management – Ongoing program management needs to balance the objectives of the program with the capabilities of the organization. During this phase, it’s important to recognize conflicting interests, balance key objectives, and change ideas on the ground, so BCM is seen as an ongoing force for good.
  • Procedural changes – The success or failure of BCM is dependent on your ability to respond if things don’t go your way. Are your systems resilient in the face of change? Does your organization have the ability to adapt and evolve in response to new threats and challenges?

Along with these three principal components, a number of technical and practical fail points are likely to present themselves during the audit process. Whether it’s incompatible IT systems, inconsistent training regimens, or a disaster recovery plan that doesn’t align with your natural environment, an audit will help to uncover any potential issues before they create a snowball effect.

An audit of your current BCM is likely to include the following elements:

  • Review of current BCM measures
  • IT systems and network analysis
  • Employee and stakeholder interviews
  • Contact and verification checks
  • Recovery time definitions and reviews
  • Training materials reviewed
  • Testing procedures reviewed
  • Service providers reviewed
  • Overall readiness efforts reviewed

If you want honest feedback, an independent assessment of your internal audit can be incredibly valuable. In the vast majority of cases, the scope and scale of response mechanisms are not aligned with the challenges of the modern world.

Chapter 5

Getting organizational buy-in for BCM

BCM program leadership comes in many forms, with ownership and sponsorship roles both common along with custodianship. Anyone with extensive knowledge and visibility of key organizational elements can provide leadership, including the chief executive officer (CEO), the chief financial officer (CFO), the chief operating officer (COO), the chief risk officer (CRO), or the chief information officer (CIO).

Anyone in the executive council can take ownership of these important programs, including the senior management team and director of human resources. In order to confirm a management buy-in, it’s important to highlight the importance of BCM in the modern world. There are many ways to do this, from new regulatory requirements and compliance standards through to audit findings, customer demands, and risk assessment reports.

The following methods are often used to drive or confirm a management buy-in:

  • New internal policy – New internal policies often highlight the need for additional continuity measures, with modern businesses increasingly unable to distract themselves from this important issue.
  • Regulatory requirements – New compliance standards are a key driver of security and continuity. When BCM becomes a legal issue, organizations are forced to respond.
  • Customer demands – The customer is always right, with more customers and other stakeholders demanding continuity in order to protect privacy, and ensure information security.
  • Lessons from high-profile companies – Organizations are often motivated to act in order to avoid the catastrophic failure experienced by other companies. High profile cases in the media are a key driver of change.
  • Public relations – Business continuity can help to differentiate companies and give them a competitive advantage. When the right plans are developed and publicized effectively, customer and staff loyalty are both likely to increase.
  • Insurance return on investment – Depending on the organization and industry sector, BCM can help to make insurance premiums less expensive.
  • Internal audit – Regular internal audits can help to identify gaps in existing continuity coverage, especially when they’re accompanied by an independent third-party assessment.
  • Risk assessment report – A risk assessment report and corresponding business impact analysis can help to identify continuity problems and educate management on the positives of BCM. 

By identifying likely procedural interruptions and estimating the potential costs of downtime, management, and executive teams will understand the real impact of not taking action. When key stakeholders understand the regulatory risk, financial risk, and reputation risk that accompany a lack of business continuity, there is only one decision left to make. Are you doing enough to ensure the long-term safety and success of your organization? If you want to learn more about business continuity management, please contact ISG to discuss your requirements.

The complete DIY disaster recovery guide for SMBs

/in /by
What’s inside:

  • What your people need to know about disaster recovery
  • The essential components of disaster recovery for SMBs
  • Why you need a disaster recovery plan (even if you think you don’t)
  • How to test your disaster recovery plan

Chapter 1

Why you need a disaster recovery plan (even if you think you don’t)

When you’re a small business owner, you absolutely need a disaster recovery plan. Unfortunately, a surprising number of owners shrug off this fact. Here are a few of the most common reasons we hear:
  • Nothing bad will happen . . . or if it does, it won’t be too bad
  • Time is better spent focusing on today’s issues and not on “what ifs”
  • A disaster recovery plan is important, and it’ll get done soon (rinse and repeat)

You see where this is going. A disaster hits the business, and, just like that, months or years of hard work disappear. It’s nothing short of tragic. Particularly because there are things you can do to prepare.

But first . . . what is a disaster recovery plan?

Before we get into the nuts and bolts of disaster recovery, let’s make sure we’re all on the same page. What is a disaster recovery plan?

It’s a plan to help your IT systems get back on track after an emergency. You may sometimes hear the term “business continuity,” as well. The two are not the same thing. Business continuity addresses everything necessary to keep a business running, no matter what. Part of that is disaster recovery.

The likelihood of a disaster

Ready for some less-than-pleasant news? It’s likely your business will experience a disaster.
Oh, you may never have to endure a tornado or a hurricane, but something will eventually take your entire business offline unexpectedly. Disasters come in different forms and vary in severity.

There are natural disasters such as earthquakes, fires, floods and blizzards. And then there are technological disasters such as cyberattacks, phishing scams, internet outages, and power failures. There are even man-made disasters such as civil unrest, terrorism and explosions. Not to mention the “small” stuff, like simple blackouts.

And the more unprepared you are, the more costly downtime is. Even one hour of downtime could cost your business several thousand dollars.

Take a look at these stats

You don’t have to take our word for it about the high cost of poor preparation. The numbers tell the story just fine on their own.

40-60%

After a disaster, 40 to 60% of businesses fail to reopen. Of those that do reopen, 25 percent go out of business within a year.

Statistic Graphic

90% of small businesses close within a year if they cannot get their operations back up within five days.


Statistic Graphic

46% of businesses have incomplete disaster recovery plans or no plan at all.

Statistic Graphic

22% of businesses have declared a disaster in the past five years. The top causes were IT failures (hardware failures, network failures, etc.), power outages, floods, cyberattacks, natural disasters and human error.

How disasters affect your IT systems

And here’s where things get real. Let’s look at how a lack of preparedness could potentially affect your business.

  • A hardware or software failure could severely impact employee productivity and lead to disgruntled customers.
  • One of your employees could fall for a phishing scam and give cybercriminals access to sensitive company accounts, which are drained. Your business is then out thousands of dollars.
  • The space where your data center is stored could experience a burst water pipe that destroys the equipment housing your data.
  • A fire could burn your business down to the ground, completely wiping out your IT infrastructure.
  • A lightning strike could create a surge and fry critical equipment, forcing you to close for just a few days. In that short time, your business could get a reputation for being unprepared or unreliable.

That’s why you need a plan

A disaster recovery plan doesn’t stop the disaster. That’s not its purpose. But it does give you a way to bounce back. When you’re facing downtime, that’s what matters—how quickly you can get your network back online.

A disaster for your business won’t necessarily come in the form of a raging inferno or thundering hurricane. Rather, it may have more mundane roots, such as a power outage or human error. Whatever form the disaster takes, your hard work could go down the drain if your business lacks a recovery plan.

Chapter 2

The essential components of disaster recovery for SMBs

Now that we’ve explained why it’s important to have a disaster recovery plan, what exactly should your plan include? Here’s a look at essentials such as backups, communications and employee training.

Backups

Your business data can be lost or destroyed in many ways. Here are just a few examples:

  • Accidents, such as a liquid spill, a laptop drop or accidental deletion
  • Disasters, such as a fire, flood or tornado
  • Cybercriminal activity, such as malware, ransomware or a virus
  • Theft, even as small as smartphone theft

Part of the goal for your disaster recovery plan is to protect your data. One way to do that is to make sure everything is backed up. That way, even if something wiped out your entire office, you wouldn’t lose the information you depend on to run your business.

The 3-2-1 rule

Aim to follow the 3-2-1 rule.

3

Three backup copies

2

In two mediums such as the cloud and hard drives

1

One copy stored offsite


The cloud is an essential player in data backups because you can continue work outside of the office and retrieve data from anywhere. Think about other things that contribute to your backup plan, as well.

  • Do you have “backup vendors” (like an ISP) should you need to quickly move from one service provider to another?
  • Do you have a backup or redundant power supply source, like an onsite generator? (If you keep a backup server onsite, you may need one.)
  • Do you have backup supplies (like food and bedding) for employees who might need to stay at the office in the event of an emergency?

Most SMBs work with a managed services provider or an offsite data center provider instead of managing their own data center onsite. Before selecting a provider, ask about their plans to prevent and mitigate disasters.

Communications plan

It’s easy to focus too much on IT in a disaster recovery plan and to forget about the human aspect. Ensure that your plan incorporates the many types of communications that may be necessary. Some things to think about include:

  • Who speaks for the company to the media, emergency responders, third-party vendors and others? (It can be a different person for each.)
  • Who reaches out to clients or customers? And how?
  • Who reaches out to employees? And how?
  • How much information do you plan to reveal in the event of a disaster? And how will you reassure those who need encouragement?
  • Do you have contact numbers (work and personal) for everyone on your staff?
  • Who are the critical members of your staff and/or what are the critical roles that have to be covered to keep your business going?

Priorities

Which systems are most critical to your mission? How much time can go by before disruption to the business becomes a serious issue? How can you protect proprietary information?

Your plan should be designed in terms of priorities. There are undoubtedly normal functions in your business you could skip or go without if you had to. As you build out your plan, make it a point to attend to the necessary stuff first.
High-priority functions should have built-in redundancy.

Your “go team”

One component of your plan is to establish a “go team” that springs into action quickly in the event of a disaster. Here’s what you’ll need to do to prep your go team.

Go team prep

Tranning Icon

Train regularly so they’re prepared to act efficiently in various scenarios

Cross training icon

Receive cross-training so they can perform multiple roles

Work relationship icon

Establish relationships with third parties such as the fire department and your data center provider

It’s also important for regular employees—those not necessarily at the forefront of disaster response—to receive training. We’ll look at that more in-depth in part 3 of this ebook.

In addition, disasters aren’t necessarily in the form of fires or hurricanes. For example, a phishing scam or a set of weak passwords could cripple your business. Disaster recovery also includes disaster prevention and mitigation.

Educating your employees on strong passwords, ransomware, phishing and more can prevent disasters and keep your employees calm and your data secure when one does occur.

Prevention

Just like you can prevent the likelihood of disasters with good employee education, you can also minimize the odds with regular maintenance and testing of your IT infrastructure. The same goes for testing your disaster recovery plan.

Say a fire breaks out at your workplace and it’s been a while since sprinkler systems and fire detection systems were tested. Will they work? Maybe. Maybe not.

Regular testing ensures everything is operating as it should. 52 percent of businesses test this kind of thing just once a year or less. We’ll look more at what complete testing of your disaster recovery plan looks like in part 4 of this ebook.

Chapter 3

What your people need to know about disaster recovery

Training your small business employees to deal with disasters can minimize the effects of a catastrophe, and it could be the difference between a quick recovery and devastating damage.

How to stay safe before, during and after

Employee safety comes first. Being able to access business email and VOIP telephone systems won’t matter if your people are injured. And while your data is certainly valuable, your people are irreplaceable. Make sure your disaster recovery plan includes emergency safety procedures.

You’ll also want to give some thought to alternative work locations and security practices in the wake of a disaster. If your office is unusable, where will your people go? Are you equipped to work from home? And how will you maintain data security in the interim?

Why disasters wear different faces

Most people immediately think of weather and natural disasters when they hear the phrase “disaster recovery.” But disasters come in all shapes, sizes and forms. And an IT-specific disaster can be just as costly as a fire—or even more costly. Make sure your employees have a well-rounded idea of the potential disasters you face as a company. That list should include:

  • Hardware failure
  • User error (a major cause of IT disasters)
  • Power outages
  • Software problems

Some employees may not even know a disaster has occurred until after the fact. Clarifying the definition of “disaster” helps employees get on board more with prevention training.

How to prevent disasters

Use onboarding and continuing training to cover the essential topics. Any new employee should go through disaster recovery training, but don’t assume everyone will remember all those details. Be sure to do periodic refresher training sessions, as well.

Disaster prevention topics

Scam email icon

Recognizing phishing scams

Password Icon

Using strong passwords

Download icon

Downloading attachments

Laptop icon

Following the BYOD policy

WiFI moden icon

Browsing safely on public Wi-Fi while working

Mobile devices icon

Securing laptops, smartphones and other devices


Slipping up in any of these areas can lead to an IT disaster that severely harms your business. Explain the why and how so employees know why this training matters. After all, you’re not trying to dump extra work on them. You’re trying to protect the business.

Where to go and what to do after a disaster

Suppose a disaster compels your business to move to alternative offices or to switch to telecommuting for a while. Your employees need to know a few things.

How to communicate with the company

Should they wait for an email from their team leader? Or proactively call in themselves? Or something else?

Where to go

Are you prepared to work from home? Or do you have an alternative office site B? And how soon do you expect employees to check in? To be available to work?

How to get to work

If there are folks who absolutely have to come to an office, will your business provide alternative transportation? If a critical staff member cannot get to that office, what’s your secondary plan for that?

How to access company programs and equipment

If a cloud computing service is down, what’s the next option? If a laptop is at the office and that has become an unsafe site, what should your employees do?

Who to contact

Who should everyone reach out to with questions, concerns or critical information? Make sure this list is longer than one name—and you almost certainly don’t want to be the point person here if your team is bigger than 10 people.

Are there any temporary policies or procedures?

Any different data security protocols to follow? Should they make adjustments to how they work normal tasks or prioritize things differently during the recovery period?

Everything else

To make sure you’ve covered all the other topics listed above, make sure you’ve considered the following.

  • What technology will be accessible during an emergency?
  • How can the business keep its data secure during an emergency?
  • What happens if the offsite data facility is destroyed?

Looking at the last question, if your business and/or employees have been following the 3-2-1 rule, there are copies of employee data that survived the facility being destroyed. Remember, disaster recovery isn’t just about getting data back—it’s also about mitigating risk and preventing data from being compromised in the first place.

Test both your business continuity and disaster recovery plans

You never fully realize everything your employees need to know until an actual disaster strikes. That’s where testing comes in.

Testing helps everyone in the business better understand how to deal with various types of disasters and how to prevent them. It also pinpoints weaknesses in your current plan, including what employees need to know and do. Test regularly! Don’t be one of the 23 percent of businesses that leave themselves unnecessarily vulnerable.

Chapter 4

How to test your disaster recovery plan

You know the saying, “Practice makes perfect.” So it goes with testing disaster recovery plans. Companies that regularly test their plans, making necessary adjustments based on feedback, are in a much better position to get through extreme weather, hardware failures, human error, cyberattacks, and other types of IT disasters.

However, not enough businesses test their plans (or they don’t test often enough). In fact, one study shows that 23 percent of companies don’t test at all due to reasons such as plan complexity and a lack of time and resources. If this sounds like your company, find a way to address these issues or you may lose revenue or even go out of business. Here are a few tips for your disaster recovery testing.

Determine the scope

Your managed services provider, if you have one, can help you figure out the scope of your testing. If your business is small, it may be that spinning up virtual machines locally or in the cloud is sufficient for some rounds of testing. If the business is larger, testing may entail unplugging a server or intentionally causing downtime in some other way.

Consider factors such as the time and resource needs of testing plus any disruption that testing would cause your customers and how much disruption they could tolerate.

Set goals

Design each DR test with a goal and figure out the results you expect. Who is involved, and what exactly is being tested? Consider other questions such as the date of your last DR test and any IT changes since then that may require updates to the plan before testing takes place.

Document the process

There’s little point in running DR tests if no one documents the processes or acts on feedback to make adjustments. Designate one person in the business to observe and document the test.

Point person tasks

  • Record how long each step takes
  • Record any missing steps not already documented for restoration, data recovery, and emergency communications
  • Record any unexpected failures in detail
  • Record the human performance of your team

To expand on the latter point, how did your employees do when faced with a bewildering turn of events? Were there parts of the DR plan that remained unclear to some employees or that caused them undue angst? Did internal or external communications fall through due to human error?

Implement feedback

Your testing may have gone well—even perfectly. If so, congratulations. Otherwise, act on the feedback you receive to make any necessary changes.

For instance, maybe several of your employees need a better understanding of their role in DR, and they need to be trained. Perhaps your systems take unacceptably long to get back online—why? How can you shorten that time frame?

Test regularly

At the bare minimum, test your plan once a year. Even better, practice it once every quarter (four times a year). Testing every month or every week may even make sense depending on the size of your company, the IT infrastructure, regulatory requirements, and how reliant your company is on IT.

You can test different elements each time with a full-scale run once a year. Remember, a disaster doesn’t have to be a full-blown act of God to make an impact. Downtime a few times a year due to internet outages can erode client confidence over time and result in clients leaving.

It can also be a good idea to run a DR test when new people step into roles. For instance, if your lead IT employee leaves and someone new steps in, don’t wait too long before doing DR testing with this new person. Otherwise, your business could be vulnerable if disaster does strike.

For guidance putting all this information to good use in your own disaster recovery plan, get in touch with one of our business continuity professionals at ISG Technology.